[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Re: [dev-crypto] JDKPKCS12KeyStore and preserving order of chain
From:       David Hook <dgh () lockboxlabs ! com>
Date:       2008-10-27 0:34:29
Message-ID: 1225067669.5424.4.camel () echidna
[Download RAW message or body]


We could probably do something about this - it would only work for a
single key/cert chain though. The truth is there is not a "proper" order
for a certificate chain in a PKCS#12 file, and any software that assumes
it can reconstruct the certificate chain for a private key on the basis
of the order of certificates in a CertBag is totally broken.

I'm assuming they think of proper order as the same as for the Java
version of the certificate chain?

Regards,

David

On Thu, 2008-10-23 at 01:41 -0700, Alexander Korobov wrote:
> Hi, 
> 
> I'm looking into JDKPKCS12KeyStore source code and it seems it does not
> preserve order of certificates given in KeyStore.setKeyEntry(...) since all
> chain certificates are kept in hash map. 
> 
> This results into engineStore writing chain certificates in arbitrary order.
> This behavior is different from one of openssl which actually preserves
> certificate order. 
> 
> Is there any reason JDKPKCS12KeyStore would not want to preserve order of
> chain certificates? 
> 
> (The background of the question is software I'm working on is expecting
> pkcs12 files to contain certificate chain in proper order.) 
> 
> Thanks, 
> Alex


[prev in list] [next in list] [prev in thread] [next in thread]